A properly configured mod security should be able to ward of most of those attacks, you could also investigate running php in safe mode. The issue with security is that it is a moving target. Keep scanning your applications for security vulnerabilities to keep ahead of the attackers.

for application scanning you won't be that good with using nessus or nikto, eventhough they can help you as a start.
it's like doing app pentests, where you have either the choice of doing some kind of black box testing, with automated support (e.g. with acunetix or similar, acunetix for at least detecting xss and crawling is free, you could combine this with other free tools like burp that can help to find more, when letting acunetix crawl through the page) and manual test versus (manual / automated) code review. for php software you could try "rips". I did not use it yet, but the description sounded pretty interesting. Sqlmap for e.g. is interesting for checking sql injections... you will find more tools when googling around for the above, owasp or webappsec (and their mailinglist archives) are a good ressourcepool as well.